// fields.js - 精准字段定义（支持智能提取）

export const DEFAULT_FIELDS = [
  // ========== 时间相关 ========== 
  {
    id: 'timestamp',
    name: '时间戳',
    category: '时间',
    important: true,
    keyPatterns: [
      /^timestamp$/i,
      /timestamp/i,
      /time/i,
      /date/i,
      /createdAt/i,
      /eventTime/i,
      /recordTime/i,
      /cloudTs/i,
	  /uploadTime/i,
	  /recordTimestamp/i,
      /eventTimeStr/i
    ],
    valuePatterns: [
      /(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2}))/,
      /\b(1[0-9]{9,12})\b/,
      /(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})/,
      /\\{0,3}"timestamp\\{0,3}"\s*:\s*\\{0,3}"(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\\{0,3}"/,
      /\\{0,3}"timestamp\\{0,3}"\s*:\s*\\{0,3}"(1[0-9]{9,12})\\{0,3}"/,
	  /"recordTimestamp"\s*:\s*(\d{10,13})/,
	  /"insertTimestamp"\s*:\s*(\d{10,13})/,
	  /"cloudTs"\s*:\s*(\d{10,13})/
    ],
    valueValidation: value => {
      if (/^\d{10,13}$/.test(value)) return true;
      // 确保包含日期和时间部分
      return /(\d{4}[-/]\d{2}[-/]\d{2}[T ]\d{2}:\d{2}:\d{2}(?:\.\d+)?(Z|[+-]\d{2}:?\d{2})?)/.test(value);
    },
    // 新增：统一时间格式
    postProcess: value => {
      if (/^\d{10,13}$/.test(value)) {
		const timestamp = parseInt(value);
        const date = new Date(timestamp * (value.length <= 10 ? 1000 : 1));
        return date.toISOString().replace('T', ' ').replace(/\.\d+Z$/, '');
      }
      return value;
    }
  },

  // ========== 源信息 ========== 
  {
    id: 'srcIp',
    name: '源IP',
    category: '网络',
    important: true,
    keyPatterns: [
      /src_?ip/i,
      /source_?ip/i,
      /sip/i,
      /srcaddress/i,
      /sourceaddress/i
    ],
    valuePatterns: [
      /srcIp\s*[:=]\s*"([^"]+)"/,
      /srcIp\s*[:=]\s*([\d.]+)/,
      /sourceIp\s*[:=]\s*"([^"]+)"/,
      /\\{0,3}"sip\\{0,3}"\s*:\s*\\{0,3}"((?:\d{1,3}\.){3}\d{1,3})\\{0,3}"/,
      /"srcIp"\s*:\s*"([^"]+)"/,
      /\\{0,3}"src_?ip\\{0,3}"\s*:\s*\\{0,3}"((?:\d{1,3}\.){3}\d{1,3})\\{0,3}"/
    ],
    valueValidation: value => {
      // 验证IPv4地址格式
      return /^(?:\d{1,3}\.){3}\d{1,3}$/.test(value);
    }
  },
  {
    id: 'srcPort',
    name: '源端口',
    category: '网络',
    important: true,
    keyPatterns: [
      /src_?port/i,
      /source_?port/i,
      /srcport/i,
      /sport/i
    ],
    valuePatterns: [
      /srcPort\s*[:=]\s*(\d+)/,
      /sport\s*[:=]\s*(\d+)/,
      /"srcPort"\s*:\s*(\d+)/,
      /\\{0,3}"sport\\{0,3}"\s*:\s*(\d+)/,
      /\\{0,3}"sport\\{0,3}"\s*:\s*\\{0,3}"(\d+)\\{0,3}"/,
      /\\{0,3}"src_?port\\{0,3}"\s*:\s*\\{0,3}"(\d+)\\{0,3}"/
    ],
    valueValidation: value => {
      // 验证端口范围
      const port = parseInt(value);
      return !isNaN(port) && port > 0 && port <= 65535;
    }
  },
  {
    id: 'srcMac',
    name: '源MAC地址',
    category: '网络',
    important: true,
    keyPatterns: [
      /src_?mac/i,
      /source_?mac/i,
      /srcmac/i,
	  /\\{0,3}"srcMac\\{0,3}"/i,
	  /"srcMac"\s*:\s*"([^"]+)"/ ,
      /\\{0,3}"src_?mac\\{0,3}"\s*:\s*\\{0,3}"([0-9a-fA-F:]{17})\\{0,3}"/,
	  /"srcMac"\s*:\s*"([0-9a-fA-F:]{17})"/
    ],
    valuePatterns: [
      /(?:src_mac|srcMac)\s*[:=]\s*"([0-9a-fA-F-]{17})"/,
	  /"srcMac"\s*:\s*"([0-9a-fA-F:]{17})"/,
	  /"srcMac"\s*:\s*"([0-9a-fA-F-]{17})"/,
	  /"srcMac"\s*:\s*"([^"]+)"/,
	  /(?:src_?mac|source_?mac)\s*["']?[:=]\s*["']([0-9a-fA-F:]{17})["']/,
	  /(?:src_?mac|source_?mac)\s*["']?[:=]\s*["']([0-9a-fA-F:]{17})["']/
    ],
    valueValidation: value => {
      // 验证MAC地址格式
      return /^([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}$/.test(value);
    },
	postProcess: value => {
		return value.toLowerCase().replace(/-/g, ':');
	}
  },

  // ========== 目标信息 ========== 
  {
    id: 'dstIp',
    name: '目标IP',
    category: '网络',
    important: true,
    keyPatterns: [
      /dst_?ip/i,
      /dest_?ip/i,
      /victimContent/i,
      /destination_?ip/i,
      /dstaddress/i
    ],
    valuePatterns: [
      /dstIp\s*[:=]\s*"([^"]+)"/,
      /dstIp\s*[:=]\s*([\d.]+)/,
      /\\{0,3}"dst_?ip\\{0,3}"\s*:\s*\\{0,3}"((?:\d{1,3}\.){3}\d{1,3})\\{0,3}"/,
      /"dstIp"\s*:\s*"([^"]+)"/,
      /"victimContent"\s*:\s*\["([\d.]+)"\]/,
      /\\{0,3}"victimContent\\{0,3}"\s*:\s*\\{0,3}"((?:\d{1,3}\.){3}\d{1,3})\\{0,3}"/
    ],
    valueValidation: value => {
      // 验证IPv4地址格式
      return /^(?:\d{1,3}\.){3}\d{1,3}$/.test(value);
    }
  },
  {
    id: 'dstPort',
    name: '目标端口',
    category: '网络',
    important: true,
    keyPatterns: [
      /dst_?port/i,
      /dest_?port/i,
      /dstport/i
    ],
    valuePatterns: [
      /dstPort\s*[:=]\s*(\d+)/,
      /\\{0,3}"dst_?port\\{0,3}"\s*:\s*\\{0,3}"(\d+)\\{0,3}"/,
      /"dstPort"\s*:\s*(\d+)/
    ],
    valueValidation: value => {
      // 验证端口范围
      const port = parseInt(value);
      return !isNaN(port) && port > 0 && port <= 65535;
    }
  },
  {
    id: 'dstMac',
    name: '目标MAC地址',
    category: '网络',
    important: true,
    keyPatterns: [
      /dst_?mac/i,
      /dest_?mac/i,
      /dstmac/i,
	  /\\{0,3}"dstMac\\{0,3}"/i,
	  /"dstMac"\s*:\s*"([^"]+)"/,
	  /\\{0,3}"dst_?mac\\{0,3}"\s*:\s*\\{0,3}"([0-9a-fA-F:]{17})\\{0,3}"/,
	  /"dstMac"\s*:\s*"([0-9a-fA-F:]{17})"/
    ],
    valuePatterns: [
      /(?:dst_mac|dstMac)\s*[:=]\s*"([0-9a-fA-F-]{17})"/,
      /\\{0,3}"dst_?mac\\{0,3}"\s*:\s*\\{0,3}"([0-9a-fA-F:]{17})\\{0,3}"/,
      /"dstMac"\s*:\s*"([0-9a-fA-F-]{17})"/,
	  /(?:dst_?mac|dest_?mac)\s*["']?[:=]\s*["']([0-9a-fA-F:]{17})["']/,
	  /"dstMac"\s*:\s*"([0-9a-fA-F:]{17})"/
    ],
    valueValidation: value => {
      // 验证MAC地址格式
      return /^([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}$/.test(value);
    },
	postProcess: value => {
	  return value.toLowerCase().replace(/-/g, ':');
	}
  },

  // ========== 资产信息 ========== 
  {
    id: 'dstAssetId',
    name: '目标资产ID',
    category: '资产',
    important: true,
    keyPatterns: [
      /dst_?asset_?id/i,
      /dest_?asset_?id/i,
      /target_?asset_?id/i,
      /dstassetid/i
    ],
    valuePatterns: [
      /dstAssetId\s*[:=]\s*\[([^\]]+)]/,
      /"dstAssetId"\s*:\s*\[([^\]]+)]/
    ]
  },

  // ========== 网络相关 ========== 
  {
    id: 'dnsName',
    name: 'DNS名称',
    category: '网络',
    important: true,
    keyPatterns: [
      /dns_?name/i,
      /domain_?name/i,
      /host_?name/i,
      /dnsname/i
    ],
    valuePatterns: [
      /dnsName\s*[:=]\s*"([^"]+)"/,
      /"dnsName"\s*:\s*"([^"]+)"/,
      /\\{0,3}"dns_?name\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/
    ]
  },
  {
    id: 'protocol',
    name: '协议类型',
    category: '网络',
    important: false,
    keyPatterns: [
      /protocol/i,
      /proto/i,
      /\\{0,3}"protocol\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /"protocol"\s*:\s*"([^"]+)"/,
      /^l7Protocol$/i,
      /l7protocol/i
    ],
    valueValidation: value => {
      const validProtocols = ['tcp', 'udp', 'icmp', 'http', 'https', 'dns', 'ftp', 'ssh', 'smtp', 'ldap', 'mysql', 'redis'];
      return validProtocols.includes(value.toLowerCase());
    }
  },

  // ========== HTTP 相关 ========== 
  {
    id: 'userAgent',
    name: '用户代理',
    category: 'HTTP',
    important: false,
    keyPatterns: [
      /user_?agent/i,
      /ua/i,
      /client_?info/i,
      /http_?user_?agent/i
    ],
    valuePatterns: [
      /userAgent\s*["']?[:=]\s*["']([^"'\r\n]+)["']/,
      /"userAgent"\s*:\s*"([^"]+)"(?=[,\r\n}])/,
      /User-Agent:\s*([^\r\n]+?)(?:;|\r|\n|$)/,
      /"userAgent"\s*:\s*"((?:\\"|[^"])+)"/
    ],
    valueValidation: value => {
      // 验证常见 UA 格式
      return /(Mozilla|Chrome|Safari|Firefox|Edge|Apache-HttpClient|curl|Postman)/i.test(value);
    },
	postProcess: value => {
		return value
		  .replace(/\\r|\\n/g, '')
		  .replace(/\\"/g, '"')
		  .trim();
	}
  },
  {
    id: 'contentType',
    name: 'contentType值',
    category: 'HTTP',
    important: false,
    keyPatterns: [
      /content_?type/i,
      /resp_?content_?type/i,
      /req_?content_?type/i,
      /mime_?type/i
    ],
    valuePatterns: [
	  /(?:contentType|reqContentType|respContentType)\s*["']?[:=]\s*["']([^"'\r\n;]+)/,
      /Content-Type:\s*([^;\r\n]+)/i,
      /"contentType"\s*:\s*"([^"]+)"/,
      /"reqContentType"\s*:\s*"([^"]+)"/,
      /"respContentType"\s*:\s*"([^"]+)"/
    ],
    valueValidation: value => {
      // 验证常见内容类型
      return /^(application|text|image|audio|video|multipart)\//.test(value);
    }
  },
  {
    id: 'domain',
    name: '域名',
    category: 'HTTP',
    important: true,
    keyPatterns: [
      /domain/i,
      /host/i,
      /server_?name/i,
      /dns_?name/i
    ],
    valuePatterns: [
      /\\{0,3}"domain\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /"rawMsg"\s*:\s*{[^}]*"domain"\s*:\s*"([^"]+)"[^}]*}/,
      /domain\s*[:=]\s*"([^"]+)"/,
      /"domain"\s*:\s*"([^"]+)"/
    ],
    valueValidation: value => {
      // 允许 IP 地址格式（带端口）
      return /^([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}|(\d{1,3}\.){3}\d{1,3})(:\d+)?$/.test(value);
    }
  },
  {
    id: 'xForwardedFor',
    name: 'X-Forwarded-For',
    category: 'HTTP',
    important: true,
    keyPatterns: [
      /x[-_]forwarded[-_]for/i,
      /xForwardedFor/i,
      /\\{0,3}"x[-_]forwarded[-_]for\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/
    ],
    valuePatterns: [
      // 匹配JSON格式：1) "xForwardedFor":"ip1,ip2,..." 2) "xForwardedFor":["ip1","ip2",...]
      /"xForwardedFor"\s*[:=]\s*((?:\[\s*(?:"[^"]+",?\s*)+\])|"[^"]+")/,
      /X-Forwarded-For:\s*([^\n]+)/i,
      /xForwardedFor\s*=\s*([^\s,]+(?:,[^\s,]+)*)/
    ],
    valueValidation: value => {
      // 验证是否包含至少一个有效的IPv4地址
      return /(\d{1,3}\.){3}\d{1,3}/.test(value);
    },
    postProcess: value => {
      // 1. 移除多余的引号和方括号
      let cleaned = value.replace(/^"|"$/g, '')
        .replace(/^\[|\]$/g, '')
        .replace(/"/g, '');

      // 2. 确保IP格式正确
      return cleaned.split(',')
        .map(ip => ip.trim())
        .filter(ip => /^(\d{1,3}\.){3}\d{1,3}$/.test(ip))
        .join(', ');
    }
  },
  {
    id: 'url',
    name: 'URL',
    category: 'HTTP',
    important: true,
    keyPatterns: [
      /url/i,
      /uri/i,
      /request_?uri/i,
      /full_?path/i,
      /endpoint/i,
      /^httpUri$/i,
      /\\{0,3}"url\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/
    ],
    valuePatterns: [
      /(?:url|httpUri)\s*["']?[:=]\s*["'](https?:\/\/[^"'\s]+)["']/,
	  /(?:GET|POST|PUT|DELETE|PATCH|OPTIONS|HEAD)\s+(\S+)\s+HTTP\/\d\.\d\s+Host:\s*([^\r\n]+)/,
	  /"httpUri"\s*:\s*"([^"]+)"/,
      /"url"\s*:\s*"([^"]+)"/
    ],
    valueValidation: value => {
      // 验证 URL 格式
      return /https?:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.test(value);
    }
  },
  {
    id: 'reqMethod',
    name: '请求方法',
    category: 'HTTP',
    important: true,
    keyPatterns: [
      /req_?method/i,
      /http_?method/i,
      /request_?method/i,
      /\\{0,3}"req_?method\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /verb/i
    ],
    valuePatterns: [
      /reqMethod\s*[:=]\s*"([^"]+)"/,
      /"reqMethod"\s*:\s*"([^"]+)"/,
      /(GET|POST|PUT|DELETE|PATCH|OPTIONS|HEAD)\s+[^\s]+\s+HTTP\/\d\.\d/,
      /Method:\s*([A-Z]+)/
    ],
    valueValidation: value => {
      // 验证 HTTP 方法
      const validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS', 'HEAD'];
      return validMethods.includes(value.toUpperCase());
    }
  },

  // ========== 安全相关 ==========
  {
    id: 'username',
    name: '用户名',
    category: '安全',
    important: true,
    keyPatterns: [
      /user_?name/i,
      /user$/i,
      /login_?user/i,
      /account_?name/i
    ],
    valuePatterns: [
      /username\s*[:=]\s*"([^"]+)"/,
      /loginUser\s*[:=]\s*"([^"]+)"/,
      /\\{0,3}"user_?name\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /user\s*[:=]\s*"([^"]+)"/
    ]
  },
  {
    id: 'password',
    name: '密码',
    category: '安全',
    important: true,
    keyPatterns: [
      /password/i,
      /pwd/i,
      /passphrase/i,
      /secret/i,
      /login_?(?:pwd|password)/i
    ],
    valuePatterns: [
      /loginPassword\s*[:=]\s*"([^"]+)"/,
      /\\{0,3}"password\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /loginPwdEncode\s*[:=]\s*"([^"]+)"/,
      /Pwd\s*[:=]\s*"([^"]+)"/,
      /password\s*[:=]\s*"([^"]+)"/
    ],
    sensitive: true // 标记为敏感字段
  },
  {
    id: 'ioc_resource',
    name: 'IOC资源',
    category: '安全',
    important: true,
    keyPatterns: [
      /ioc_?resource/i,
      /iocresource/i,
      /indicator/i,
      /threat_?indicator/i
    ],
    valuePatterns: [
      /ioc_resource\s*[:=]\s*"([^"]+)"/,
      /"ioc_resource"\s*:\s*"([^"]+)"/,
      /\\{0,3}"ioc_?resource\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/
    ]
  },
  {
    id: 'ioc',
    name: '威胁指标',
    category: '安全',
    important: true,
    keyPatterns: [
      /ioc/i,
      /indicator/i,
      /threat_?type/i,
      /malware_?type/i
    ],
    valuePatterns: [
      // 添加单词边界避免部分匹配
      /\b(CVE-\d{4}-\d{4,7})\b/i,
      /\\{0,3}"ioc\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /\b(malware|ransomware|trojan|worm|spyware|keylogger)\b/i
    ]
  },
  {
    id: 'tiIntelligence',
    name: '恶意域名',
    category: '安全',
    important: true,
    keyPatterns: [
      /ti_?intelligence/i,
      /threat_?intel/i,
      /malicious_?domain/i
    ],
    valuePatterns: [
      /tiIntelligence\s*[:=]\s*"([^"]+)"/,
      /\\{0,3}"ti_?intelligence\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /"tiIntelligence"\s*:\s*"([^"]+)"/
    ]
  },
  {
    id: 'md5',
    name: 'MD5值',
    category: '安全',
    important: true,
    keyPatterns: [
      /^md5$/i,
      /file_?md5$/i,
      /md5_?hash$/i,
      /intelligenceTag/i
    ],
    valuePatterns: [
      /intelligenceTag[^:]*:\s*"([a-f0-9]{32})"/,
      /\\{0,3}"md5\\{0,3}"\s*:\s*\\{0,3}"([a-f0-9]{32})\\{0,3}"/,
      /(?:md5|hash)[:=]\s*"([a-f0-9]{32})"/
    ],
    exclusions: ['midea-env-id', 'session-id', 'correlation-id'],
    valueValidation: value => {
      // 必须为32位十六进制
      return /^[a-f0-9]{32}$/i.test(value);
    }
  },

  // ========== 响应信息 ========== 
  {
    id: 'recommendation',
    name: '处置建议',
    category: '响应',
    important: true,
    keyPatterns: [
      /recommendation/i,
      /suggestion/i,
      /advice/i,
      /action_?plan/i,
      /^solution/i
    ],
    valuePatterns: [
      /recommendation\s*[:=]\s*"([^"]+)"/,
      /"recommendation"\s*:\s*"([^"]+)"/,
      /\\{0,3}"recommendation\\{0,3}"\s*:\s*\\{0,3}"((?:[^"\\]|\\.)+)\\{0,3}"/,
      /"solution"\s*:\s*"((?:[^"\\]|\\.)*)"/,
      /"solution"\s*:\s*"([\s\S]*?)(?<!\\)"(?=,\s*\w+:)/,
    ],
    multiLine: true,
    valueValidation: value => {
      return value && value.length > 50;
    },
    postProcess: value => {
      // 处理转义字符
      return value.replace(/\\"/g, '"')
        .replace(/\\n/g, '\n')
        .replace(/\\t/g, '\t');
    }
  },
  {
    id: 'respStatus',
    name: '响应码',
    category: '网络',
    important: true,
    keyPatterns: [
      /resp_?status/i,
      /response_?status/i,
      /http_?status/i,
      /status_?code/i,
      /^respStatus$/i
    ],
    valuePatterns: [
      /respStatus\s*[:=]\s*(\d{3})/,
      /"respStatus"\s*:\s*(\d{3})/,
      /\\{0,3}"resp_?status\\{0,3}"\s*:\s*\\{0,3}"(\d{3})\\{0,3}"/,
      /HTTP\/\d\.\d\s+(\d{3})\b/
    ],
    valueValidation: value => {
      // 必须是3位数字
      return /^\d{3}$/.test(value);
    }
  },
  {
    id: 'responseBody',
    name: '响应体内容',
    category: 'HTTP',
    important: true,
    keyPatterns: [
      /response_?body/i,
      /resp_?body/i,
      /http_?response_?body/i,
      /\\{0,3}"responseBody\\{0,3}"/i
    ],
    valuePatterns: [
      // 匹配JSON键值对
      /"responseBody"\s*:\s*"((?:\\"|[^"])+)"(?=[,\r\n}])/,
      /"responseBody"\s*:\s*(\{.*?\})(?=[,\r\n}])/s,
      /"responseBody"\s*:\s*"((?:\\"|[^"])*)"(?=[,\r\n}])/,
	  /"body"\s*:\s*(\{.*?\})(?=[,\r\n}])/s,
      /HTTP\/\d\.\d \d{3} [^\r\n]*\r\n(?:[^\r\n]*\r\n)*\r\n([\s\S]+)$/
    ],
    multiLine: true,
    valueValidation: value => {
      return value && value.trim().length > 0;
    },
    postProcess: value => {
      // 处理转义字符
      let cleaned = value
        .replace(/\\"/g, '"')
        .replace(/\\n/g, '\n')
        .replace(/\\r/g, '\r')
        .replace(/\\t/g, '\t');
    
      // 尝试解析JSON
      try {
        const jsonObj = JSON.parse(cleaned);
        return JSON.stringify(jsonObj, null, 2);
      } catch (e) {
        return cleaned;
      }
    }
  },
  // ========== 安全策略 ========== 
  {
    id: 'riskLevel',
    name: '风险等级',
    category: '安全',
    important: true,
    keyPatterns: [
      /risk_?level/i,
      /severity_?level/i,
      /threat_?level/i,
      /severity$/i
    ],
    valuePatterns: [
      /riskLevel\s*[:=]\s*(\d+)/,
      /"riskLevel"\s*:\s*(\d+)/
    ],
    valueValidation: value => {
      const level = parseInt(value);
      return !isNaN(level) && level >= 0 && level <= 10;
    }
  },
  {
    id: 'alertId',
    name: '告警ID',
    category: '告警',
    important: true,
    keyPatterns: [
      /alert_?id/i,
      /alarm_?id/i,
      /incident_?id/i,
      /event_?id/i,
      /threat_?id/i
    ],
    valuePatterns: [
      /alertId\s*[:=]\s*"([^"]+)"/,
      /"alertId"\s*:\s*"([^"]+)"/,
      /\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\b/i // UUID格式
    ]
  },
  // ========== 设备信息 ========== 
  {
    id: 'deviceId',
    name: '设备ID',
    category: '设备',
    important: false,
    keyPatterns: [
      /device_?ip/i,
      /dev_?id/i,
      /sensor_?id/i,
      /collector_?id/i
    ],
    valuePatterns: [
      /deviceIp\s*[:=]\s*"([^,"]+)/,
      /"deviceId"\s*:\s*"([^"]+)"/
    ]
  },

  // ========== 文件信息 ========== 
  {
    id: 'filePath',
    name: '文件路径',
    category: '文件',
    important: true,
    keyPatterns: [
      /file_?path$/i,
      /path$/i,
      /location$/i,
      /full_?path$/i,
      /malware_?path$/i
    ],
    valuePatterns: [
      /(?:"|')([\/]?[\w\-\/. ]+\.\w{1,10})(?:"|')/,  // 引号内的路径
      /([\/][\w\-\/. ]+)/,                           // Linux路径
      /([a-zA-Z]:[\\\/][\w\-\\. ]+)/,                // Windows路径
      /[a-zA-Z]:[\\\/](?:[^\\\/:\*\?"<>\|\r\n]+[\\\/])+[^\\\/:\*\?"<>\|\r\n]+/
    ],
    valueValidation: path => {
      // 简单验证文件路径
      const validExtensions = ['.exe', '.dll', '.js', '.py', '.php', '.log', '.txt'];
      return validExtensions.some(ext => path.endsWith(ext));
    }
  },
  {
    id: 'fileHash',
    name: '文件哈希',
    category: '文件',
    important: true,
    keyPatterns: [
      /file_?hash/i,
      /file_?signature/i,
      /file_?md5/i
    ],
    valuePatterns: [
      /(?:file_?hash|file_?md5|file_?signature)\s*[:=]\s*"([a-f0-9]{32})"/i,
      /\\{0,3}"file_?hash\\{0,3}"\s*:\s*\\{0,3}"([a-f0-9]{32})\\{0,3}"/,
      /\\{0,3}"file_?md5\\{0,3}"\s*:\s*\\{0,3}"([a-f0-9]{32})\\{0,3}"/,
      /"file_?hash"\s*:\s*\["([a-f0-9]{32})"\]/,
      /"file_?md5"\s*:\s*\["([a-f0-9]{32})"\]/
    ],
    valueValidation: value => {
      // 必须是32或40位十六进制
      return /^[a-f0-9]{32}$/i.test(value) || /^[a-f0-9]{40}$/i.test(value);
    }
  },

  // ========== 其他字段 ========== 
  {
    id: 'hostIp',
    name: '主机IP',
    category: '主机',
    important: true,
    keyPatterns: [
      /host_?ip/i,
      /server_?ip/i,
      /endpoint_?ip/i,
      /hostip/i
    ],
    valuePatterns: [
      /hostIp\s*[:=]\s*"([^"]+)"/,
      /hostIp\s*[:=]\s*([\d.]+)/,
      /"hostIp"\s*:\s*"([^"]+)"/,
      /"hostIp"\s*:\s*\["([\d.]+)"\]/
    ],
    valueValidation: value => {
      return /^(?:\d{1,3}\.){3}\d{1,3}$/.test(value);
    }
  },
  {
    id: 'alarmName',
    name: '告警名称',
    category: '告警',
    important: true,
    keyPatterns: [
      /alarm_?name/i,
      /rule_?name/i,
      /dev_?rule_?name/i,
      /alert_?name/i,
      /event_?name/i,
      /incident_?name/i,
      /threat_?name/i,
      /malware_?name/i,
      /devRuleName/i
    ],
    valuePatterns: [
      /alarmName\s*[:=]\s*"([^"]+)"/,
      /"alarmName"\s*:\s*"([^"]+)"/,
      /ruleName\s*[:=]\s*"([^"]+)"/,
      /\\{0,3}ruleName\\{0,3}\s*[:=]\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /\\{0,3}"dev_?rule_?name\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /\\{0,3}"alarm_?name\\{0,3}"\s*:\s*\\{0,3}"([^"]+)\\{0,3}"/,
      /"ruleName"\s*:\s*"([^"]+)"/,
      /"devRuleName"\s*:\s*\["([^"]+)"\]/
    ]
  }
];